Schnucks says a recent audit showed it was in compliance with industry standards for data security, and insists it is working “nonstop” to ensure customers’ payment card information is protected.
Schnuck Markets Inc., issued a statement Sunday, saying a November audit showed the company met standards required for companies that accept credit cards.
When asked by the Post-Dispatch on March 28 when it had its last audit, the company did not respond.
Schnucks first confirmed to the newspaper on March 22 that it was investigating a breach. The company said it first became aware of fraudulent activity on March 15.
The company has since worked with law enforcement agencies, including the Missouri and Illinois attorneys general, the U.S. Secret Service and the FBI.
Data security experts say that all signs point to a network breach. That can happen a number of ways, including infiltration by a contaminated email that gets into the company’s system, or when information is intercepted along the company’s payment systems, from the point of sale to a database or processor.
The family-owned grocer, with about 100 locations in five states, said in its recent statement that it “has been focused on identifying each store that was affected and the dates during which cards could have been accessed.”
“As soon as we completed that analysis in the coming days, we will provide that information to the credit card companies so that they can notify all of the banks who issued cards that may have been accessed. Those banks will then be able to conduct additional monitoring of those cards or cancel and reissue new cards,” the statement said. “We will also post a list of those stores and the time frames on our website.”
Asked Monday to clarify whether only some stores were affected by the breach, Lori Willis, Schnuck Markets director of communications, said she could not elaborate.
On Monday, customers at the company’s sole store in Bettendorf, Iowa, reported possible credit card problems.
Previously, customers who reported fraudulent charges had shopped at stores in the St. Louis area.
Willis said in an email, “We cannot, at this time, rule out possible Iowa involvement.”
On March 30, the company said a forensic investigator it hired found evidence of computer code in its system that was enabling the information from magnetic stripes to be lifted and stolen.
The company said at the time it had “found and contained” the problem.
However, customers should continue watching their accounts for fraudulent charges, because information stolen before the company made the announcement is likely still being sold and used on counterfeit cards.